diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b43b962cce68..5579c8ad9783 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -238,6 +238,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Auditbeat* +- Reference kubernetes manifests include configuration for auditd and enrichment with kubernetes metadata. {pull}17431[17431] - Reference kubernetes manifests mount data directory from the host, so data persist between executions in the same node. {pull}17429[17429] - Log to stderr when running using reference kubernetes manifests. {pull}17443[174443] diff --git a/deploy/kubernetes/auditbeat-kubernetes.yaml b/deploy/kubernetes/auditbeat-kubernetes.yaml index b41e6576ad36..2efe8b6ab99c 100644 --- a/deploy/kubernetes/auditbeat-kubernetes.yaml +++ b/deploy/kubernetes/auditbeat-kubernetes.yaml @@ -16,6 +16,17 @@ data: processors: - add_cloud_metadata: + - add_process_metadata: + match_pids: ['process.pid'] + include_fields: ['container.id'] + - add_kubernetes_metadata: + host: ${NODE_NAME} + default_indexers.enabled: false + default_matchers.enabled: false + indexers: + - container: + matchers: + - fields.lookup_fields: ['container.id'] cloud.id: ${ELASTIC_CLOUD_ID} cloud.auth: ${ELASTIC_CLOUD_AUTH} @@ -50,6 +61,14 @@ data: max_file_size: 100 MiB hash_types: [sha1] recursive: true + - module: auditd + audit_rules: | + # Executions + -a always,exit -F arch=b64 -S execve,execveat -k exec + + # Unauthorized access attempts + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access --- # Deploy a auditbeat instance per node for node metrics retrieval apiVersion: apps/v1 @@ -71,6 +90,7 @@ spec: serviceAccountName: auditbeat terminationGracePeriodSeconds: 30 hostNetwork: true + hostPID: true # Required by auditd module dnsPolicy: ClusterFirstWithHostNet containers: - name: auditbeat @@ -94,6 +114,12 @@ spec: value: securityContext: runAsUser: 0 + capabilities: + add: + # Capabilities needed for auditd module + - 'AUDIT_READ' + - 'AUDIT_WRITE' + - 'AUDIT_CONTROL' resources: limits: memory: 200Mi diff --git a/deploy/kubernetes/auditbeat/auditbeat-configmap.yaml b/deploy/kubernetes/auditbeat/auditbeat-configmap.yaml index d5589df00bf8..7a17c80e5a79 100644 --- a/deploy/kubernetes/auditbeat/auditbeat-configmap.yaml +++ b/deploy/kubernetes/auditbeat/auditbeat-configmap.yaml @@ -16,6 +16,17 @@ data: processors: - add_cloud_metadata: + - add_process_metadata: + match_pids: ['process.pid'] + include_fields: ['container.id'] + - add_kubernetes_metadata: + host: ${NODE_NAME} + default_indexers.enabled: false + default_matchers.enabled: false + indexers: + - container: + matchers: + - fields.lookup_fields: ['container.id'] cloud.id: ${ELASTIC_CLOUD_ID} cloud.auth: ${ELASTIC_CLOUD_AUTH} @@ -50,3 +61,11 @@ data: max_file_size: 100 MiB hash_types: [sha1] recursive: true + - module: auditd + audit_rules: | + # Executions + -a always,exit -F arch=b64 -S execve,execveat -k exec + + # Unauthorized access attempts + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access diff --git a/deploy/kubernetes/auditbeat/auditbeat-daemonset.yaml b/deploy/kubernetes/auditbeat/auditbeat-daemonset.yaml index c041f6b96ea5..5f669400f356 100644 --- a/deploy/kubernetes/auditbeat/auditbeat-daemonset.yaml +++ b/deploy/kubernetes/auditbeat/auditbeat-daemonset.yaml @@ -18,6 +18,7 @@ spec: serviceAccountName: auditbeat terminationGracePeriodSeconds: 30 hostNetwork: true + hostPID: true # Required by auditd module dnsPolicy: ClusterFirstWithHostNet containers: - name: auditbeat @@ -41,6 +42,12 @@ spec: value: securityContext: runAsUser: 0 + capabilities: + add: + # Capabilities needed for auditd module + - 'AUDIT_READ' + - 'AUDIT_WRITE' + - 'AUDIT_CONTROL' resources: limits: memory: 200Mi